River Financial Corp 10-K Cybersecurity GRC - 2024-03-12

Page last updated on April 11, 2024

River Financial Corp reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2024-03-12 15:54:54 EDT.

Filings

10-K filed on 2024-03-12

River Financial Corp filed an 10-K at 2024-03-12 15:54:54 EDT
Accession Number: 0000950170-24-029883

Note: filing items unformatted. Drop us a note with the above URL to help us prioritize formatting it!

Item 1C. Cybersecurity.

Item 1C. Cybersecurity . Risk Management and Strategy Our policies for Cybersecurity and the Safeguarding of Data, Computing Systems and Confidential Client Information policies establish the administrative, technical, physical safeguards and risk mitigations that are implemented to protect the security and confidentiality of all customer information as set forth by the federal regulatory authorities interagency guidelines mandated by Section 501 of the Gramm-Leach-Bliley Act of 1999 and Part 364, Appendix B of the FDIC Rules and Regulations. Our objective is to emphasize compliance with all information and cybersecurity requirements, including those detailed in the National Institute of Standards and Technology ( NIST ) Cybersecurity Framework, regulatory guidance, FFIEC guidance and regulatory agency guidelines, which provide established standards for cybersecurity and the safeguarding customer information and Bank assets. Security Operation and Governance Our Board Chartered, IT Committee oversees implementation, monitoring, and assessment of cybersecurity risks as it relates to the comprehensive Information Systems Security Program (ISSP). In fulfilling its duties, the Committee ensures the development of appropriate policies. The Committee reviews and discusses policies, procedures, and projects with management and after taking into consideration any matters that the IT Committee may deem advisable, the IT Committee annually recommends such policies to the Board of Directors for review and ultimately approval. The Board of Directors receives cybersecurity status updates, training and is encouraged to engage with questions. Frequency of these cybersecurity updates are driven by the events in the world, cyber threats and alerts received by the Bank s ISO, Management or Technology Administrator. 28 Information Technology and Cybersecurity Management Our Information Security Officer (ISO) is responsible for overseeing the Bank s strategies necessary to ensure the confidentiality, integrity, and availability of electronic information by communicating risk to senior administration, creating, and maintaining enforceable policies and procedures, and ensuring compliance with regulatory requirements. Under the oversight and guidance of the IT Committee, the Board of Directors, and the HR Department s ISO Job Description, the ISO is responsible for the following: Overall security/control of the network and computing systems. For coordinating the education and training of new and existing employees on Network and Physical Security Policies as outlined in the Information Systems Security Policy. Management of all detection systems directly connected to the Internet/network and subjected to on-going review of generated reports and risk assessments performed by independent auditors and vulnerability identification software. Management of the audit function, which will periodically review the information security policies, standards, and procedures and ensure the adequacy of information system controls and compliance. Provide reports to the IT Committee, Senior Management, and the Board of Directors, as needed or required, concerning the Bank’s security posture. Oversight and management of technology vendors and suppliers. Security Competencies The Information Security Program oversees a program of security competencies and tools designed to protect the confidentiality, integrity, and availability of our data. This level of competency is attained through regulatory examination, scheduled audits, internal risk assessments, security scanning of assets and annual testing. We participate in annual programs including the FFIEC Cybersecurity Assessment Program, which measures and defines our inherent risks and the maturity of our preparedness. This process is overseen by our IT Committee and presented to the Board of Directors. Third-Party Risk Management Any new organization or party that we show interest in establishing a relationship with the Bank will/may require the potential to share or access confidential client information must go through a series of guidelines for qualification prior to releasing information or implementing services. These procedures are in place in order to demonstrate our commitment to safeguarding confidential information while documenting due diligence. New third parties are assessed through our pre- engagement process. The next level of engagement involves a Risk Dependency Assessment, to determine the vendor s Tier Level and a full due-diligence review of policies and independent audits of Critical Vendors as defined in policy. Security Awareness and Education The Bank provides annual, mandatory on-site training for personnel regarding security awareness to equip personnel with the understanding of how to properly use and protect the computing resources entrusted to them, and to communicate the Bank s information security policies, standards, processes, and practices. Staff IT training process is monitored, tracked and reported to the IT Committee and Board of Directors. We have also employed a program of staff phishing tests with staff response evaluated and reported to the IT Committee and the Board of Directors. 29 Incident Response Program (IRP) The Bank s ability to respond to security incidents in a planned and coordinated fashion is important to the success of its information systems security program. The IRP has been developed to provide protections for both the Bank and the Bank s customers and to mitigate the negative effects of cybersecurity events or security breaches on the Bank itself. Program also identifies the Bank s Information Security Response Team (ISIRT) Policy and program procedures which are tested annually. A 24/7 monitored intrusion prevention system, internal intrusion detection system and firewalls to assist in the identification of unauthorized system access is in place. Network and application security reports are reviewed by Bank personnel and used to help in the detection process. Our ISO and Management Committees are continually informed about the latest developments in cybersecurity, including potential threats and innovative risk management techniques. This ongoing knowledge acquisition is crucial for the effective prevention, detection, mitigation, and remediation of cybersecurity incidents. To assist our Information Security Team in such knowledge acquisition, we subscribe to certain services that provide us alerts on security incidents and threats. Our ISO oversees the implementation of and the processes for the regular monitoring of our information systems. This includes the deployment of advanced security measures and regular system audits to identify potential vulnerabilities. As previously noted, in the event of a cybersecurity incident, the ISIRT Plan is enacted. This plan includes immediate actions to mitigate the impact of and remediate the incident.

Company Information